topic Re: ISE - 802.1x certificate authentication without identity lookup in in Network Access Control

ISE - 802.1x certificate authentication without identity lookup in AD

Martin Jelinek — Wed, 03 Dec 2025 08:12:26 GMT

Hello everyone

Does anyone has an experience with ISE (3.x) configuration related to 802.1x for wired clients connecting to network where identity lookup in AD shouldn't be done?

We have some specific use case for clients who are issued with certificate from internal PKI and there is a need to allow such clients to perform 802.1x authentication based on client (machine) certificate, but there is NO need for identity lookup in any store (not AD nor internal).

Basically client should just present valid certificate signed by internal PKI which is verified by ISE that certificate is valid/trusted and then run authorization policy to assing user into VLAN X.

Problem is that it looks that ISE always perform some kind of identity lookup which is taken e.g. from certificate CN or SAN entry etc.

Any clue how to configure ISE policy or profile to NOT perform any identity lookup and simply accept client if presented certificate is valid/trusted? Can't see any option in Certificate auth profile for such a way.

In policy authorization policy it looks straighforward however from logs I can see identity lookup is always performed.

Thank you for any hint.

Martin

Re: ISE - 802.1x certificate authentication without identity lookup in

Rob Ingram — Wed, 03 Dec 2025 08:21:33 GMT

@Martin Jelinek is a CAP (Certificate Authentication Profile) used which is performing lookup to AD?

Re: ISE - 802.1x certificate authentication without identity lookup in

Cristian Matei — Wed, 03 Dec 2025 14:50:39 GMT

Hi,

Although not a common scenario, you should be able to make it work as follows:

1. Ensure your CAP / Certificate Authentication Profile does not rely on AD for the authentication phase; when you create the CAP, leave the Identity field empty, to prevent ISE from performing an AD query/lookup; also ensure that "Binary Comparison" option is unchecked, to also prevent ISE perform AD lookup during authentication phase; ensure to configure which certificate attribute / field you want ISE to use as Identity, ideally pick something which is not specific to an endpoint (like CN or SAN), rather pick a filed which has the same value for all certificate issued to any endpoint.

2. When configuring authorization policy, ensure you don't use AD lookup as condition, rather use a certificate match criteria that matches on whatever certificate attribute you've mentioned in previous step as Identity.

Least but not last, ensure that the building the above, you're not matching on other requests that might reach ISE, so you're not accidentally authenticating and authorising other endpoint as well.

Thanks,

Cristian.

Re: ISE - 802.1x certificate authentication without identity lookup in

Martin Jelinek — Wed, 03 Dec 2025 10:48:32 GMT

Hi @Rob Ingram @Cristian Matei

My CAP is configured as per attachment and there is no option to "exclude" such AD lookup as far as I can tell..

However, even though I can see in log entries that processing is trying to query domain for an identity check:

24209	Looking up Endpoint in Internal Endpoints IDStore - xxxxxx-yyyyy-zzzz-aaaaa	1
	24211	Found Endpoint in Internal Endpoints IDStore	2
	15048	Queried PIP - Radius.Service-Type	1
	15048	Queried PIP - Radius.NAS-Port-Type	0
	24433	Looking up machine in Active Directory -xxxxxx-yyyyy-zzzz-aaaaa
	24325	Resolving identity
	24313	Search for matching accounts at join point
	24318	No matching account found in forest
	24322	Identity resolution detected no matching account
	24352	Identity resolution failed
	24437	Machine not found in Active Directory
	15048	Queried PIP - AD1.ExternalGroups	19
	15048	Queried PIP - AD1.ExternalGroups	0

Please note that obviously we use ISE and AD integration for other use cases so identity check is required normally, but trying to fit in with other use case to simply authorize specific clients based on certificate attribute (SAN entry) to verify just validity/trust of such client based on certificate and if so, than authorization policy should assign correct VLAN for the client...

I don't have policy rule with condition to refer to AD lookup. Well at least not that i would be aware of. 😕

Re: ISE - 802.1x certificate authentication without identity lookup in

Martin Jelinek — Wed, 03 Dec 2025 10:57:34 GMT

I know ISE is a beast though I would normally expect in CAP to simply say "don't validate identity" to keep it simple, though not simple as that.

Re: ISE - 802.1x certificate authentication without identity lookup in

Cristian Matei — Wed, 03 Dec 2025 14:54:46 GMT

Hi,

Your CAP looks good per what you're trying to achieve, not mentioning AD in Identity Store field, means no AD lookup.How do your authentication and authorization policies look like for the goal you have in place? Do you have an active client to test with and check results / logs?

Thanks,

Cristian.

Re: ISE - 802.1x certificate authentication without identity lookup in

Martin Jelinek — Thu, 04 Dec 2025 07:47:54 GMT

Hi, yes I have a client to test this policy with and I can always see in log details (steps) involving identity lookup which shouldn't be happening, to my understanding.

Policy is quite simple.

Policy matching criteria is based on Wired_802.1X using TLS so client and server (ISE) needs to trust each other.

In authentication part there is "Network Access:AuthenticationMethod = x509_PKI" checking content of the SAN entry within certificate presented by client. The authentication part looks to succeed..

22070	Identity name is taken from certificate attribute	0
	22037	Authentication Passed	0
	12506	EAP-TLS authentication succeeded	0

And within Authorization part, it looks matching rule is missed. Though, still it jsut check SAN entry for specific content and doing "Network Access: EapAuthentication = EAP-TLS" with specic authorization results to assign such client to vlan X.

It is just that simple and that is why I'm not sure where it Identity lookup is comming from as I have not specified it to what I can tell 😕 So either, ISE always tries to do identity lookup and has no influence on the actual processing result or it does influence result somehow while using TLS and 802.1X.

15036	Evaluating Authorization Policy	0
	24209	Looking up Endpoint in Internal Endpoints IDStore -xxxxxx-yyyyy-zzzz-aaaaa	1
	24211	Found Endpoint in Internal Endpoints IDStore	2
	15048	Queried PIP - Radius.Service-Type	1
	15048	Queried PIP - Radius.NAS-Port-Type	0
	24433	Looking up machine in Active Directory -xxxxxx-yyyyy-zzzz-aaaaa
	24325	Resolving identity
	24313	Search for matching accounts at join point
	24318	No matching account found in forest
	24322	Identity resolution detected no matching account
	24352	Identity resolution failed
	24437	Machine not found in Active Directory

Re: ISE - 802.1x certificate authentication without identity lookup in

Aref Alsouqi — Thu, 04 Dec 2025 11:50:28 GMT

It could be the SAN check you're doing on the authorization rule that is causing ISE to go and check that identity in the AD. The "not applicable" option you rightly selected in the CAP affects only authentication, it has nothting to do with authroization. I would suggest to try to remove the SAN check on the authorization rule for testing, and if that resolves the issue then probably you would need to find another way to trying to match specific clients.

Re: ISE - 802.1x certificate authentication without identity lookup in

Martin Jelinek — Thu, 04 Dec 2025 13:58:26 GMT

I can give a try, though this would be quite unfortunate as Windows 11 are by nature manage through EntraID and therefore are not part of internal domain ISE uses for identity lookups...That is the reason why we are looking into verification of the certificate and specific SAN content with hope ISE will not do identity lookup! 🙂 Otherwise it might be quite difficult to find anything else as certificate is the thing to be used for client validation without AD identity lookup.

I can try to test next week hopefully 😕 Worst case I can crosscheck with TAC if assumption is correct or not. Thank you

Re: ISE - 802.1x certificate authentication without identity lookup in

Cristian Matei — Tue, 09 Dec 2025 20:02:29 GMT

Hi,

Since SAN is the actual identity, within your authorization rule, can you replace SAN check with some other certificate attribute check?

The other solution would be to use a non-unique / more generic certificate attribute (other than SAN) within your CAP and use the same attribute within your ISE authentication policy; afterwards use SAN within your ISE authorization policy. This should give you a solution for what you're looking to achieve, while also keeping the required flexibility of matching on SAN for the authorization policy.

Thanks,

Cristian.

Re: ISE - 802.1x certificate authentication without identity lookup in

Martin Jelinek — Wed, 10 Dec 2025 05:56:41 GMT

I will be able to test hopefully next week, though SAN entry is natural choice as that is something our PKI is prepared for to specifically change for certain clients. Think I can use other certificate attribute like Certificate Template used which would be more generic, however require some redo on PKI side of things as template is generic and used for all clients while SAN entry can be easily changed per client. Not everything I have permissions on so it would take some time.

Hopefully ISE checks identity only in case certificate attribute like CN,SAN is used by default. Which I would hope for is not the case and I can control behavior by configuration if identity should be checked or not. Let's see.

Thank you so far for all advices 🙂 Appreciate.

Martin